Privacy Policy

Last Updated: January 7, 2025

1. Introduction

Quick Therapy Notes ("we," "our," or "us") is committed to protecting your privacy and the confidentiality of your clients' Protected Health Information (PHI). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered therapy notes service.

Key Principle: We do not permanently store therapy notes or client PHI on our servers.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Name and professional credentials
  • Email address
  • Professional license information (for verification)
  • Billing information (processed securely through Stripe)

2.2 Usage Information

We collect limited usage data to improve our service:

  • Number of notes generated
  • Note format preferences (SOAP, DAP, Simple)
  • Feature usage statistics
  • Technical performance data

2.3 What We DO NOT Collect

Important: We do not permanently collect or store:

  • Therapy session content or notes
  • Client names or identifying information
  • Protected Health Information (PHI)
  • Clinical assessments or diagnoses
  • Treatment plans or therapeutic content

3. How We Process Therapy Content

3.1 Temporary Processing Only

When you generate notes:

  • Your session information is temporarily processed by our HIPAA-compliant AI partner (Botpress)
  • Processing occurs in real-time to generate your note
  • All session data is immediately deleted after note generation
  • No therapy content is retained on our servers

3.2 Local Storage

Generated notes are stored locally in your browser:

  • Notes remain on your device only
  • You control all generated content
  • You can export, delete, or manage notes as needed
  • We cannot access locally stored notes

4. HIPAA Compliance

4.1 Our HIPAA Safeguards

We maintain HIPAA compliance through:

  • Technical Safeguards: End-to-end encryption, secure data transmission, access controls
  • Administrative Safeguards: Staff training, security policies, incident response procedures
  • Physical Safeguards: Secure data centers, controlled access, environmental protections

4.2 Business Associate Agreements

Our AI processing partner (Botpress) operates under a Business Associate Agreement (BAA) that ensures:

  • HIPAA-compliant data processing
  • Immediate data deletion after processing
  • No unauthorized use or disclosure of PHI
  • Appropriate security measures

5. Third-Party Services

5.1 Authentication (Clerk)

We use Clerk for secure user authentication:

  • Manages login credentials securely
  • Stores basic account information
  • Does not have access to therapy content

5.2 Payment Processing (Stripe)

Stripe processes all payments securely:

  • PCI DSS compliant payment processing
  • Billing information stored separately from therapy data
  • No access to clinical information

5.3 AI Processing (Botpress)

Botpress provides HIPAA-compliant AI processing:

  • Temporary processing only
  • Immediate data deletion
  • No model training on your data
  • Full BAA coverage

6. Data Security

6.1 Encryption

  • All data transmission uses TLS 1.3 encryption
  • Data is encrypted both in transit and during processing
  • Local storage uses browser security features

6.2 Access Controls

  • Multi-factor authentication available
  • Role-based access controls
  • Regular security audits and monitoring

6.3 Incident Response

  • 24/7 security monitoring
  • Immediate incident response procedures
  • Breach notification within 72 hours if required

7. Your Rights and Choices

7.1 Account Data Rights

You have the right to:

  • Access your account information
  • Update or correct your profile data
  • Delete your account and associated data
  • Export your account information

7.2 Local Data Control

For locally stored notes, you can:

  • Export notes in various formats
  • Delete individual notes or all notes
  • Clear browser storage at any time
  • Transfer notes between devices

8. Data Retention

8.1 Account Information

  • Retained while your account is active
  • Deleted within 30 days of account closure
  • Billing records retained as required by law

8.2 Therapy Content

  • Never permanently stored on our servers
  • Immediately deleted after processing
  • Local storage controlled entirely by you

8.3 Usage Analytics

  • Aggregated, non-identifying usage statistics
  • Retained for service improvement purposes
  • No connection to specific therapy content

9. International Users

If you are accessing our service from outside the United States:

  • Your data may be transferred to and processed in the United States
  • We maintain appropriate safeguards for international data transfers
  • GDPR rights are respected for EU users
  • Local privacy laws are considered where applicable

10. Children's Privacy

Our service is not intended for use by individuals under 18 years of age. We do not knowingly collect personal information from children under 18. If we become aware that we have collected such information, we will take steps to delete it immediately.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we do:

  • We will post the updated policy on this page
  • We will update the "Last updated" date
  • We will notify users of significant changes via email
  • Continued use constitutes acceptance of changes

12. Contact Us

If you have any questions about this Privacy Policy or our privacy practices, please contact us:

Email: michellewiltshirepsyd@gmail.com

Website: Contact Us

For HIPAA-related concerns or to report a potential breach, please contact us immediately at the above email addresses.